Friday, 15 April 2016

FDMEE Hybrid and the REST Part 1

The recent FDMEE 11.1.2.4.200 PSU added new hybrid functionality which in basic terms means it is now possible to integrate between on-premise and Oracle cloud applications.

I thought it would be useful to go through getting up and running with the hybrid functionality and then have a more detailed look at what is happening behind the scenes, this all ties in nicely with my previous posts on EPM REST web services as hybrid is no different and relies heavily on the REST API.

To get started here is what the documentation has to offer on the new addition to FDMEE:

Oracle Hyperion Financial Data Quality Management, Enterprise Edition can be used as a primary gateway to integrate on-premise and cloud based applications.

This features allows EPM customers to adapt cloud deployments into their existing EPM portfolio.

You might use the integration to import data from existing on-premise ERP applications, or synchronize data from on-premise EPM applications.

For example, a Oracle Hyperion Financial Management customers can add Oracle Hyperion Planning data or a Planning customer can add more Planning applications.

In addition, this integration includes writing back from a cloud to an on-premise application or other external reporting applications.


This type of integration supports on-premise sources such as:


•    On-premise ERP applications from supported source to Oracle Cloud
•    On-premise EPM applications to Oracle Cloud
•    Oracle Cloud to on-premise EPM applications
•    Oracle Cloud to EBS/Peoplesoft GL
•    Oracle Cloud to on-premise external sources using custom application
 
I am going to concentrate on the integration with PBCS which in the April 2016 release added hybrid support, the new features documentation included the following information:

"Starting with this release, you can use the on-premises FDMEE Release 11.1.2.4.200 to load data to and from the service without the need to set up Data Management content in Oracle Planning and Budgeting Cloud.

You can load data to the service from any on-premises source that FDMEE supports and then extract data from the service back to the onpremises sources directly, including drill-through and writeback."


So FDMEE now provides the ability to load data from any supported on-premise source and then exported into a PBCS application, alternatively data can be extracted from a PBCS application and loaded into an on-premise target.

When you look at the amount of different source systems available to the on-premise version of FDMEE compared to PBCS then you realize why hybrid could be a good option.


Besides all the above sources it is possible to configure an EPM application as the source and have a PBCS application as the target or the other way round.

Currently in PBCS data management you can only use a file or an Oracle Fusion cloud application as a source.

With on-premise FDMEE there is also the advantage of being able to use scripting while PBCS is heavily restricted on that front.

There is the argument of if you are going to invest in having FDMEE on-premise then why not have planning as well but I am not going to get into the politics around cloud deployments.

Anyway before you can even start to use the hybrid functionality you will need to be on FDMEE 11.1.2.4.200+

The 11.1.2.4.200 patch number is 22452414 (ignore this if you are on a newer version)

The patch readme provides the information on how to apply the patch using Opatch.

There are some additional configuration steps that are required which are not covered in the readme but are in the FDMEE documentation, the FDMEE documentation was not released when I first configured so I had to go through the pain of trying to get hybrid to work.

I will go through the steps shortly but I want to show the errors that occur in FDMEE if they are not implemented.

In FDMEE the PBCS application will need to be added as a target, there is now a cloud option when you add a target.


This will open a window to enter your cloud credentials so in my case PBCS credentials.


Now because I have not done any of the additional steps after applying the patch the following error is generated.


The reason behind this error is because EPM 11.1.2.4 deploys WebLogic 10.3.6 and by default implements Certicom SSL which does not support SHA256 algorithms that the PBCS SSL certificate has been issued with.

The workaround for this is to configure the FDMEE WebLogic managed server to use Java Secure Socket Extension (JSSE) SSL which is able to handle the certificate.

From WebLogic 12.1.1 JSSSE is the only SSL implementation that is supported and the Certicom based SSL implementation has been removed.

To configure the WebLogic admin server will need to be started the admin console accessed.

Select the FDMEE WebLogic server (still called ErpIntegrator(n)), you may have multiple servers to configure depending on your environment.


Go to the SSL tab


Under advanced enable “Use JSSE SSL” and apply.


We are not finished with the configuration but I will show you want happens if you only implement the above change and then try to add the PBCS target again in FDMEE.


The reason for this error is that the PBCS SSL certificate has been issued using a wildcard.


By default, the WebLogic configuration does not support wildcard certificates so to rectify this issue a couple of changes are required.

In the same place as the JSSE SSL was enabled there is a field called “Hostname Verification” and this requires updating to “Custom Hostname Verifier

Add “weblogic.security.utils.SSLWLSWildcardHostnameVerifier“ to  “Custom Hostname Verifier

Apply and activate these changes.

Now the documentation includes an additional step which I did not need to implement and did not encounter any issues, it may only be required if the on-premise environment has been configured to use full SSL but I can’t confirm that yet.

To be complete I will include it, the process involves importing the PBCS SSL certificate into the Java KeyStore (JKS) that WebLogic has been configured to use.

First the certificate needs to be exported which can be done from your web browser, log into your PBCS application and you should see a lock icon next to the URL.


It will be in a slightly different location depending on the browser type and version, click the icon and view the certificate

In the details tab then there will be an export button if the browser is Firefox, if it is IE there should be button with “Copy to File



Save the certificate and transfer it over to the Web application servers.

As this is only for demo purposes I am going to import into the WebLogic demo keystore, depending on your environment WebLogic may be configured to use a different keystore especially if it is production.

The certificate can be imported using the Java keytool command line interface.


You should be prompted to trust the certificate.


 The list command can verify whether the certificate has been added to the keystore.


Once the changes have been implement restart the FDMEE web application server.

This time when the target application is added in FDMEE no error should be generated and you will be presented with the option to select an application.


I am going to leave it there for today and in the next part I will go into detail on how the hybrid functionality works and interacts with the REST API.

1 comment:

Anonymous said...

Hi John - Great blog post, and we think hybrid is going to be a great solution for a vast many of our customers as they incrementally move to the cloud. Impressive that you got it to work without adding the certificate to the keystore, so I'll follow up with dev on your approach.

Mike Casey
mike.casey@oracle.com